Closed danielballan closed 4 years ago
jsnshrmn
commented
5 years ago It occurs to me that some AWS services let you use an arn short form that doesn't include the account id. I will do a quick test to see if that works with kubernetes load balancers and acm certs.
jsnshrmn
commented
5 years ago No dice, moving on.
jsnshrmn
commented
5 years ago As an aside, locking down the root account means more than just settings in aws; we should verify that we're using an email address that isn't published anywhere / easily guessable and that we have good email security on that account, since the root user account email address and the account id (part of an ARN) are components of account recovery. An attacker would still have to gain access to read emails for that root account, but it would be a potentially high value target, so we should make that difficult. https://aws.amazon.com/premiumsupport/knowledge-center/recover-aws-password/
stale[bot]
commented
5 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in seven days if no further activity occurs. If it should not be closed, please comment! Thank you for your contributions.
Mr0grog
commented
5 years ago @ibuys don’t know if you’ve seen this issue or have thoughts about it. If so, would love any feedback (or work) on it.
stale[bot]
commented
5 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in seven days if no further activity occurs. If it should not be closed, please comment! Thank you for your contributions.
Per @jsnshrmn from today's call, we can safely make the service template public if we:
This also could be moot if we switch from AWS certs, with semi-sensitive ARNs, to LetsEncrypt.